Split Tunnel VPN to bypass Chinese Sensorship

Posted on 2014-01-08
Last Modified: 2014-01-14
My company has an office in China.  The great firewall of China often gets in the way of our western employees accessing sites that they need to work.  Some sites are completely blocked, others have their capability degraded to the point where they can be hardly used (such as Gmail).

We have a Sonicwall TZ170 in both Ottawa, Canada and Dongguan, China.  We have a VPN connection established between the sites.  I have tried routing all the traffic from Dongguan to Ottawa and this works, but it is far too slow to be practical.  

I am looking for a way to split the traffic so that restricted sites go through the VPN and unrestricted sites go through the Chinese internet.  Any suggestions?

Also, we have used various VPN services on the client machines and these work well.  But I would rather have something centrally managed.  Is there a way to route specific traffic through a 3rd party VPN?

Running Windows 2012 servers pretty much through and through.
Question by:encoad
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 70

Expert Comment

ID: 39766723
» Is there a way to route specific traffic through a 3rd party VPN?
Usually the answer has to be "no". VPN clients are not intended to route traffic. I've managed to force Cisco (IPSec) VPN client and Windows RRAS into proper routing (see for details). Most other VPN clients do not use a virtual network interface you can see in RRAS, and so that will not work for them.

» I am looking for a way to split the traffic so that restricted sites go through the VPN and unrestricted sites go through the Chinese internet.  Any suggestions?
Difficult to achieve. You'll have to route on target IP address. Unless the SonicWALL supplies wildcard routing via policy-based routing, to redirect all *.com, for example.

Author Comment

ID: 39766769
Is there some (relatively) inexpensive hardware that can help me achieve what I want? (either replacing or supplementing the Sonicwall).

The Sonicwall handle wildcard netmasks, but cannot do anything with specific domains.

We use VPN connections like PureVPN which works great, but I need this at the network level as opposed to the client level.

In my dreamworld, all domains owned by Google would go through PureVPN for example.
LVL 70

Expert Comment

ID: 39766855
Nothing you can set up easily will help you in your mission. And I can't tell anything about PureVPN - the info they provide is confusing, but the protocols they use would all allow for routing, if the client does. If it works with the MS VPN (PPTP, SSTP, L2TP/IPSec) or the default Open Source OpenVPN client, making a Windows machine a router is feasible.

Still all solutions would require you to divert by IP addresses, not names. And that is the main issue. But Google US has some fixed IP ranges, so that would be managable. You would have to define the specific routing on a single point, best on your default gateway, and that usage would be transparent, no need to set up more on clients.

IDK, but a Web Proxy could also be able to apply domain specific rules - maybe even routing.
LVL 20

Accepted Solution

carlmd earned 500 total points
ID: 39767662
Take a look at the following. Even though it is older, it should help you route the traffic.

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Know what services you can and cannot, should and should not combine on your server.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question